'Curious' Hack Jailbreaks Windows RT

A security researcher has hacked Windows RT to allow it to run desktop applications by bypassing the OS's security systems. The jailbreaking isn't dangerous to users' systems, he insists.

"It cannot at this point be exploited without the user actually wanting it, so it's not dangerous," researcher C.L. Roker told TechNewsWorld.

The flaw that permitted Roker to sidestep security protections on Microsoft's Surface tablet and run Windows desktop applications on it is a vulnerability, he added.

Following Roker's posting of his discovery of the RT flaw on Sunday, Microsoft confirmed the defect in the operating system and discounted its threat to RT users.

"The scenario outlined is not a security vulnerability and does not pose a threat to Windows RT users," it said in a statement. "The mechanism described is not something the average user could, or reasonably would, leverage as it requires local access to a system, local administration rights and a debugger in order to work."

Microsoft did not respond to our request for further details.

Hacker Praised

In an unusual twist, Microsoft praised the researcher for finding the flaw in RT. "We applaud the ingenuity of the folks who worked this out and the hard work they did to document it," it stated.

It suggested, however, that the window on this flaw will be closing shortly. "We'll not guarantee these approaches will be there in future releases," it observed.

The vulnerability in RT resides in its kernel, Roker explained in his "On the Surface of Security" blog.

RT's code, which is designed to run with ARM processors, is based on Windows 8 desktop code, which is designed to work with Intel processors. The kernel flaw exists in Windows and was copied into RT when the desktop OS's code was ported to the OS for Microsoft's tablet.

Signature Requirements Altered

Whether a program will run in RT depends on a digital signature. The minimum requirements for a program's signature are controlled within the kernel and protected by one of Windows 8's strongest new security additions: UEFI Secure Boot.

"This is not a user setting, but a hard-coded global value in the kernel itself," Roker explained. "It cannot be changed permanently on devices with UEFI's Secure Boot enabled."

However, Roker discovered that the minimum signature requirements for a program could be altered in memory, using a debugging tool, during an active session.

On a machine with an Intel processor, the minimum value for a signature is "0," which means any program can run on the computer. With an RT machine, it's "8," which limits applications largely to those in Microsoft's app store.

'Cool' Hack

By changing the minimum signature requirements for RT, Roker found he could run 32-bit Windows desktop applications on his Surface tablet.

That's a good thing, he argued, and Microsoft should consider making it a feature of Surface.

"The decision to ban traditional desktop applications was not a technical one, but a bad marketing decision," Roker said. "Windows RT needs the Win32 ecosystem to strengthen its position as a productivity tool. There are enough 'consumption' tablets already."

The chances of Roker's findings being exploited by a hacker are extremely remote,
Eset researcher Aryeh Goretsky told TechNewsWorld. "This is more of a curiosity than anything else. I would file it under 'cool hack.'"

Unlike the typical jailbreaking or rooting of a mobile device, Roker's exploit lacks persistence, Goretsky added. "You have to re-inject it after each time you power up or reboot the device," he observed.

Tinkering's Downside

While running Windows desktop apps on Surface may be an attractive idea to some, implementing Roker's hack could have negative consequences, according to Vizay Kotikalapudi, senior manager with
Symantec's Enterprise Mobility Group.

"Once you jailbreak a device, the stability of a device is no longer guaranteed," he told TechNewsWorld. "You can have memory leaks, applications crashing all the time and networks not working correctly."

Moreover, installed apps may stop working, he added. "One of the basic things that most apps do is check to see if a device is jailbroken or rooted and if it is, those apps won't run."

As a Surface owner,
Directions On Microsoft Windows Analyst Michael Cherry is puzzled by those who'd want to jailbreak the tablet.

"If you want to buy a tablet with an ARM processor and use it for some other operating system or some other purpose, there are probably better things to buy than a Windows RT device," he told TechNewsWorld.

In addition, running applications designed for the desktop on Surface would interfere with one of his primary reasons for buying the tablet he noted.

"I wanted to have a tablet with a Windows operating system that offered a long battery life," he explained. "I'm getting about 10 hours of battery life between charges. The reason that is, is I'm running the new Windows 8 store apps. If I were to start loading on a bunch of legacy apps, I'd probably be starting up a whole lot of processes and services that would chew up my battery life."